- From: Jonathan Kingston <jonathan@jooped.com>
- Date: Wed, 30 Sep 2015 00:07:14 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKrjaaWpj+koHNX0JoegJbv2ADMa=7_-iT1C68+FrmJ0tGQGEA@mail.gmail.com>
As to create somewhat of a new topic diversion on this group I wanted to table the discussion of password creation. The Credential management API at some point will need to allow users to create passwords somehow. The core issues as I see it are: - Sites create schemes that users can't understand - Sites are under the illusion that limiting down the character set to include x upper, x digits, and x special chars makes passwords much stronger - Sites have a finite storage limitation - Sites have a processing limitation - Users are likely to pick bad passwords so some of these rules, limits and design choices have happened because of that As I am purely talking about auto generation of passwords, I think: - The user is no longer an issue - Characters may be a design limitation to what a site can store, however in implementing the Credential Management API we should assume validation should change - base64 compatible encoding is ideal for storage - The closest to random passwords is a design goal - Computational power of the user agent and algorithm complexity becomes an issue instead - Storage and processing are still issues I started the discussion here of using credential classes that cover specific use cases whilst also stop the website making poor choices: https://github.com/w3c/webappsec/issues/250#issuecomment-136005063 Kind regards Jonathan
Received on Wednesday, 30 September 2015 00:07:53 UTC